Which statement explains the issue?

Your customer is having wireless VoIP problems. When the Cisco 7925 phones roam from AP1 to AP2, the voice drops out and comes back. The phones are set up for PEAP/WPA2-AES with CCKM to an external RADIUS server. The APs and WLAN are setup up in FlexConnect mode.

Which statement explains the issue?
A . The APs have not been added to the FlexConnect group.
B . PEAP with WPA2-AES is not supported with Cisco Centralized Key Management, use EAP-FAS
D . PEAP with WPA2-AES is not supported with Cisco Centralized key Management, use LEA
F . The APs have been added to the FlexConnect Group.

View Answer

Answer: A

Explanation:

From:

Cisco Wireless Controller Configuration Guide, Release 8.0 -FlexConnectGroups [Cisco Wireless LAN Controller Software] -Cisco http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101110.html

All of the FlexConnect access points in a group share the same backup RADIUS server, CCKM, and local authentication configuration information. This feature is helpful if you have multiple FlexConnect access points in a remote office or on the floor of a building and you want to configure them all at once. For example, you can configure a backup RADIUS server for a FlexConnect rather than having to configure the same server on each access point.

Configuring FlexConnect Groups (CLI)Step1 AddaddordeleteaFlexConnectGroupbyenteringthiscommand: config flexconnect group group_name { add | delete } Step2 ConfigureaprimaryorsecondaryRADIUSserverfortheFlexConnectgroupbyenteringthiscommand: config flexconnect group group_name radius server auth { add | delete } { primary | secondary } server_index Step3 ConfigureaprimaryorsecondaryRADIUSserverfortheFlexConnectgroupbyenteringthiscommand: config flexconect group group-name radius server auth {{ add { primary | secondary } ip-addr auth-port secret } | { delete { primary | secondary }}} Step4 AddanaccesspointtotheFlexConnectGroupbyenteringthiscommand: config flexconnect group_name ap { add | delete } ap_mac Step5 ConfigurelocalauthenticationforaFlexConnectasfollows: a. MakesurethataprimaryandsecondaryRADIUSserverarenotconfiguredfortheFlexConnectGroup. b. ToenableordisablelocalauthenticationforthisFlexConnectgroup,enterthiscommand: config flexconnect group group_name radius ap { enable | disable } c. EntertheusernameandpasswordofaclientthatyouwanttobeabletoauthenticateusingLEAP,EAP-FAST,PEAP,orEAP-TLSbyenteringthiscommand: configflexconnectgroup group_name radiusapuseradd username password password

Note

You can add up to 100 clients.

d.AllowaFlexConnectaccesspointgrouptoauthenticateclientsusingLEAPortodisablethisbehaviorbyenteringthiscommand:

config flexconnect group group_name radius ap leap { enable | disable }

e. AllowaFlexConnectaccesspointgrouptoauthenticateclientsusingEAP-FASTortodisablethisbehaviorbyenteringthiscommand:

config flexconnect group group_name radius ap eap-fast { enable | disable }

f. TodownloadEAPRootandDevicecertificatetoAP,enterthiscommand:

config flexconnect group group_name radius ap eap-cert download

g. AllowaFlexConnectaccesspointgrouptoauthenticateclientsusingEAP-TLSortodisablethisbehaviorbyenteringthiscommand:

config flexconnect group group_name radius ap eap-tls { enable | disable }

h. AllowaFlexConnectaccesspointgrouptoauthenticateclientsusingPEAPortodisablethisbehaviorbyenteringthiscommand:

config flexconnect group group_name radius ap peap { enable | disable }

i. AllowaFlexConnectaccesspointgrouptoauthenticateclientsusingPEAPortodisablethisbehaviorbyenteringthiscommand:

config flexconnect group group_name radius ap peap { enable | disable }

j. AllowaFlexConnectaccesspointgrouptoauthenticateclientsusingEAP-TLSortodisablethisbehaviorbyenteringthiscommand:

config flexconnect group group_name radius ap eap-tls { enable | disable }

k. DownloadtheEAProotanddevicecertificatebyenteringthiscommand:

config flexconnect group group_name radius ap eap-cert download

l. Enteroneofthefollowingcommands,dependingonhowyouwantPACstobeprovisioned:

config flexconnect group group_name radius ap server-key key ―Specifies the server key used to encrypt and decrypt PACs. The key must be 32 hexadecimal characters.

config flexconnect group group_name radius ap server-key auto ―Allows PACs to be sent automatically to clients that do not have one during PAC provisioning.

m. TospecifytheauthorityidentifieroftheEAP-FASTserver,enterthiscommand: configflexconnectgroup group_name radiusapauthorityid id

where id is 32 hexadecimal characters.

n. TospecifytheauthorityidentifieroftheEAP-FASTserverintextformat,enterthiscommand: configflexconnectgroup group_name radiusapauthorityinfo info

where info is up to 32 hexadecimal characters.

o. TospecifythenumberofsecondsforthePACtoremainviable,enterthiscommand: configflexconnectgroup group_name radiusappac-timeout timeout

where timeout is a value between 2 and 4095 seconds (inclusive) or 0. A value of 0, which is the default value, disables the PAC timeout.

Step6 ConfigureaPolicyACLonaFlexConnectgroupbyenteringthiscommand: config flexconnect group group-name policy acl { add | delete } acl-name Step7 Configurelocalsplittunnelingonaper-FlexConnectgroupbasisbyenteringthiscommand: config flexconnect group group_name local-split wlan wlan-id acl acl-name flexconnect-group-name { enable | disable } Step8 Tosetmulticast/broadcastacrossL2broadcastdomainonoverriddeninterfaceforlocallyswitchedclients,enterthiscommand: config flexconnect group group_name multicast overridden-interface { enable | disable } Step9 ConfigurecentralDHCPperWLANbyenteringthiscommand: config flexconnect group group-name central-dhcp wlan-id { enable override dns | disable | delete } Step10 ConfiguretheDHCPoverriddeninterfaceforFlexConnectgroup,usethe configflexconnectgroupflexgroupdhcpoverridden-interfaceenable command. Step11 ConfigurepolicyaclonFlexConnectgroupbyenteringthiscommand: config flexconnect group group_name policy acl { add | delete } acl-name Step12 Configureweb-authaclonflexconnectgroupbyenteringthiscommand: config flexconnect group group_name web-auth wlan wlan-id acl acl-name { enable | disable } Step13 Configurewlan-vlanmappingonflexconnectgroupbyenteringthiscommand: config flexconnect group group_name wlan-vlan wlan wlan-id { add | delete } vlan vlan-id Step14 Tosetefficientupgradeforgroup,enterthiscommand: config flexconnect group group_name predownload { enable | disable | master | slave } ap-name retry-count maximum retry count ap-name ap-name Step15 Saveyourchangesbyenteringthiscommand: saveconfig Step16 Seethecurrentlistofflexconnectgroupsbyenteringthiscommand: show flexconnect group summary Step17 SeethedetailsforaspecificFlexConnectGroupsbyenteringthiscommand: show flexconnect group detail group_name

using CCKM, use the WLC command "configwlansecuritywpaakmcckmtimestamp-tolerance5000" to increase the likelihood of performing a fast roam.)

PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS) -Cisco http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100397-peap-ias.html

Choose the Security tab; choose WPA/WPA2/CCKM ; under WPA/WPA2/CCKM EAP, type choose PEAP[EAP-MSCHAPv2] , and click Configure .